Confidential computing

Last updated

Confidential computing is a security and privacy-enhancing computational technique focused on protecting data in use. Confidential computing can be used in conjunction with storage and network encryption, which protect data at rest and data in transit respectively. [1] [2] It is designed to address software, protocol, cryptographic, and basic physical and supply-chain attacks, although some critics have demonstrated architectural and side-channel attacks effective against the technology. [3]

Contents

The technology protects data in use by performing computations in a hardware-based trusted execution environment (TEE). [3] Confidential data is released to the TEE only once it is assessed to be trustworthy. Different types of confidential computing define the level of data isolation used, whether virtual machine, application, or function, and the technology can be deployed in on-premise data centers, edge locations, or the public cloud. It is often compared with other privacy-enhancing computational techniques such as fully homomorphic encryption, secure multi-party computation, and Trusted Computing.

Confidential computing is promoted by the Confidential Computing Consortium (CCC) industry group, whose membership includes major providers of the technology. [4]

Properties

Trusted execution environments (TEEs) "prevent unauthorized access or modification of applications and data while they are in use, thereby increasing the security level of organizations that manage sensitive and regulated data". [4] [5] Trusted execution environments can be instantiated on a computer's processing components such as a central processing unit (CPU) or a graphics processing unit (GPU). [6] In their various implementations, TEEs can provide different levels of isolation including virtual machine, individual application, or compute functions. [7] Typically, data in use in a computer's compute components and memory exists in a decrypted state and can be vulnerable to examination or tampering by unauthorized software or administrators. [8] [9] According to the CCC, confidential computing protects data in use through a minimum of three properties: [10]

In addition to trusted execution environments, remote cryptographic attestation is an essential part of confidential computing. The attestation process assesses the trustworthiness of a system and helps ensure that confidential data is released to a TEE only after it presents verifiable evidence that it is genuine and operating with an acceptable security posture. [11] [12] [13] It allows the verifying party to assess the trustworthiness of a confidential computing environment through an "authentic, accurate, and timely report about the software and data state" of that environment. "Hardware-based attestation schemes rely on a trusted hardware component and associated firmware to execute attestation routines in a secure environment". [10] Without attestation, a compromised system could deceive others into trusting it, claim it is running certain software in a TEE, and potentially compromise the confidentiality or integrity of the data being processed or the integrity of the trusted code. [14] [10] [15]

Technical approaches

Technical approaches to confidential computing may vary in which software, infrastructure and administrator elements are allowed to access confidential data. The "trust boundary," which circumscribes a trusted computing base (TCB), defines which elements have the potential to access confidential data, whether they are acting benignly or maliciously. [16] Confidential computing implementations enforce the defined trust boundary at a specific level of data isolation. The three main types of confidential computing are:

Virtual machine isolation removes the elements controlled by the computer infrastructure or cloud provider, but allows potential data access by elements inside a virtual machine running on the infrastructure. Application or process isolation permits data access only by authorized software applications or processes. Function or library isolation is designed to permit data access only by authorized subroutines or modules within a larger application, blocking access by any other system element, including unauthorized code in the larger application. [17] [18]

Note: Specific implementations may eliminate the Virtual Machine Administrator role altogether Trust boundary illustration confidential computing.jpg
Note: Specific implementations may eliminate the Virtual Machine Administrator role altogether

Threat model

As confidential computing is concerned with the protection of data in use, only certain threat models can be addressed by this technique. Other types of attacks are better addressed by other privacy-enhancing technologies. [10]

In scope

The following threat vectors are generally considered in scope for confidential computing: [10]

The degree and mechanism of protection against these threats varies with specific confidential computing implementations. [20]

Out of scope

Threats generally defined as out of scope for confidential computing include: [10]

Use cases

Confidential computing can be deployed in the public cloud, on-premise data centers, or distributed "edge" locations, including network nodes, branch offices, industrial systems and others. [21]

Data privacy and security

Confidential computing protects the confidentiality and integrity of data and code from the infrastructure provider, unauthorized or malicious software and system administrators, and other cloud tenants, which may be a concern for organizations seeking control over sensitive or regulated data. [22] [23] The additional security capabilities offered by confidential computing can help accelerate the transition of more sensitive workloads to the cloud or edge locations. [24]

Multi-party analytics

Confidential computing can enable multiple parties to engage in joint analysis using confidential or regulated data inside a TEE while preserving privacy and regulatory compliance. [25] [26] In this case, all parties benefit from the shared analysis, but no party's sensitive data or confidential code is exposed to the other parties or system host. [8] Examples include multiple healthcare organizations contributing data to medical research, or multiple banks collaborating to identify financial fraud or money laundering. [27] [15]

Oxford University researchers proposed the alternative paradigm called "Confidential Remote Computing" (CRC), which supports confidential operations in Trusted Execution Environments across endpoint computers considering multiple stakeholders as mutually distrustful data, algorithm and hardware providers. [28]

Regulatory compliance

Confidential computing assists in data protection and regulatory compliance by limiting which software and people may access regulated data, as well as providing greater assurance of data and code integrity. In addition, TEEs can assist with data governance by providing evidence of steps taken to mitigate risks and demonstrate that these were appropriate. [29] In 2021, the European Union Agency for Cybersecurity (ENISA) classifies confidential computing as a "State of the Art" technology with respect to protecting data under the European Union's General Data Protection Regulation and Germany's IT Security Act (ITSiG). [30]

Data localization, sovereignty and residency

Regulations regarding data localization and residency or data sovereignty may require that sensitive data remain in a specific country or geographic bloc to provide assurance that the data will only be used in compliance with local law. Using confidential computing, only the workload owner holds the encryption keys required to decrypt data for processing inside a verified TEE. [31] This provides a technological safeguard that reduces the risk of data being exfiltrated and processed in plaintext in other countries or jurisdictions without the workload owner's consent. [32] [33]

Additional use cases for confidential computing include blockchain applications with enhanced record privacy and code integrity, privacy-preserving advertising technology, confidential databases and more.

Criticism

Multiple academic and security research groups have demonstrated architectural and side-channel attacks against CPU-based TEEs based on a variety of approaches. [3] These include page faults, [34] caching, [27] and the memory bus, [35] as well as specifically Æpic [36] and SGAxe [37] against Intel SGX, and CIPHERLEAKS [38] against AMD SEV-SNP. Update mechanisms in the hardware, such as Trusted computing base (TCB) recovery, can mitigate side-channel vulnerabilities as they are discovered. [39] [40]

The definition of confidential computing itself has also been criticized by some academic researchers. Scholars at the Technical University of Dresden, Germany called it, "imprecise, incomplete and even conflicting." [41] Researchers have made recommendations to make it more detailed and exact to facilitate research and comparisons with other security technologies. [41]

"Confidential Remote Computing" (CRC) paradigm, [42] claims to revert confidential computing to original design principles of TEEs and advocate for small enclaves, running in available end-users computers. CRC adds practices and templates for multiple stakeholders, such as different data owners, hardware owners and algorithm owners. CRC extends the broad notion of confidential computing by adding practices and methodologies for individual use.

None of the major microprocessor or GPU providers offer Confidential computing hardware in devices for personal computers anymore, which limits use cases only to server-class platforms. Intel SGX was introduced for PCs in 6th Generation Intel Core (Skylake) processors in 2015, but deprecated in the 11th Generation Intel Core processors (Rocket Lake) in 2022. [43]

Comparison with other privacy-enhancing technologies

Confidential computing is often compared to other security or privacy-enhancing technologies, including fully homomorphic encryption, secure multi-party computing and trusted computing.

Fully homomorphic encryption

Fully homomorphic encryption (FHE) is a form of encryption that permits users to perform computations on encrypted data without first decrypting it. Confidential computing, in contrast, transfers encrypted data inside a hardware-enforced, access-controlled TEE in the processor and memory, decrypts the data, and performs the required computations. Data may be re-encrypted before exiting the TEE. Compared to each other, FHE performance can suffer from higher computational overhead than confidential computing and require extensive application-specific coding [44] but is less susceptible to side-channel attacks since data is never decrypted. [45] Several researchers have described use cases where confidential computing TEEs and FHE work together to mitigate shortcomings of the technologies acting individually. [46] [47]

Secure multi-party computation

Secure multi-party computation (SMPC) is a privacy-preserving technology that allows multiple parties to jointly compute a task using distributed algorithms while keeping each party's data private from the others. Confidential computing can also be used for privacy-preserving multi-party collaboration. Compared to each other, distributed computing with SMPC can be more expensive in terms of computation and network bandwidth, [48] but less susceptible to side-channel attacks since no party ever holds the complete data set. [45]

Trusted computing

Trusted computing is a concept and set of standards published by the Trusted Computing Group that aim to establish trust in computing systems by using standardized hardware-based mechanisms like the Trusted Platform Module (TPM). [49] From a technical perspective, Trusted Computing and confidential computing rely on similar security concepts, such as trust architecture and remote attestation protocols. However, Trusted Computing targets a different set of threat models and large variety of platforms (e.g., phones, laptops, servers, network equipment); [50] confidential computing addresses attack vectors that target confidentiality and integrity of code and data in use, notably through the use of Trusted Execution Environments and memory encryption.

Providers

Confidential computing use cases require a combination of hardware and software, often delivered in conjunction with cloud service providers or server manufacturers.

Hardware providerTechnologyComponentIntroductionIsolation level
Advanced Micro Devices (AMD)AMD Secure Encrypted Virtualization- Secure Nested Paging (AMD SEV-SNP)CPU2021 with 3rd Gen AMD EPYC server processors [51] Virtual Machine [52]
Arm Arm Confidential Computing Architecture

(Arm CCA)

CPU2021 with Arm v9-A architecture [53] Virtual Machine [54]
IBM IBM Secure Execution for LinuxCPU2020 with IBM z15 and LinuxONE [55] Virtual Machine
Intel Intel Software Guard Extensions

(Intel SGX)

CPU2015 on 6th Gen Intel Core PC processors [56] (later deprecated) [lower-alpha 1]

2018 on Intel Xeon E 2100 series server processors [59] (later deprecated)

2021 on 3rd Gen Intel Xeon Scalable processors [60]

Application/Process or Library/Function [17]
Intel Trust Domain Extensions

(Intel TDX)

CPU2023 on 4th Gen Intel Xeon Scalable processors via select cloud providers [61] Virtual Machine [17]
Nvidia Nvidia Confidential ComputingGPU2022 on Nvidia H100 family GPUs [62] Virtual Machine or Multi-User GPU Instance [63]

Cloud computing providers

Confidential computing technology and services can be accessed via public cloud computing providers, including Alibaba Cloud, [64] Baidu Cloud, [64] Google Cloud, [65] IBM Cloud, [66] Microsoft Azure, [67] OVHcloud [68] and others.

Application providers

Application software is required to enable most confidential computing use cases. Providers of confidential computing software applications include Anjuna, [64] CanaryBit, [69] Cosmian, [70] CYSEC, [71] Decentriq, [72] Edgeless Systems, [73] Enclaive, [74] Fortanix, [75] IBM Hyper Protect Services, [76] Mithril Security, [77] Oblivious, [78] Opaque Systems, [79] Scontain, [80] Secretarium [81] and others.

Confidential Computing Consortium

Confidential computing is supported by an advocacy and technical collaboration group called the Confidential Computing Consortium. [82] The CCC was formed in 2019 under the Linux Foundation. The founding premiere members were Alibaba, Arm, Google Cloud, Huawei, Intel, Microsoft and Red Hat. The founding general members included Baidu, ByteDance, Decentriq, Fortanix, Kindite, Oasis Labs, Swisscom, Tencent and VMware. [83] [84] The CCC states its efforts are "focused on projects securing data in use and accelerating the adoption of confidential computing through open collaboration." [82]

Notes

  1. Intel deprecated Intel SGX on Intel Core-branded PC processors after 10th Gen and on Xeon E one-socket server processors after the 2300 series. It continues to be offered on Xeon Scalable and Xeon D-branded server processors. [57] [58]

Related Research Articles

Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning that is distinct from the field of confidential computing. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. Enforcing this behavior is achieved by loading the hardware with a unique encryption key that is inaccessible to the rest of the system and the owner.

<span class="mw-page-title-main">Next-Generation Secure Computing Base</span> Software architecture by Microsoft

The Next-Generation Secure Computing Base is a software architecture designed by Microsoft which claimed to provide users of the Windows operating system with better privacy, security, and system integrity. NGSCB was the result of years of research and development within Microsoft to create a secure computing solution that equaled the security of closed platforms such as set-top boxes while simultaneously preserving the backward compatibility, flexibility, and openness of the Windows operating system. Microsoft's primary stated objective with NGSCB was to "protect software from software."

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard ISO/IEC 11889. Common uses are to verify platform integrity, and to store disk encryption keys.

Intel Trusted Execution Technology is a computer hardware technology of which the primary goals are:

In computer security, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) by performing a hard reset of the target machine. Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off.

The Opal Storage Specification is a set of specifications for features of data storage devices that enhance their security. For example, it defines a way of encrypting the stored data so that an unauthorized person who gains possession of the device cannot see the data. That is, it is a specification for self-encrypting drives (SED).

ProVerif is a software tool for automated reasoning about the security properties of cryptographic protocols. The tool has been developed by Bruno Blanchet and others.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

PrivateCore is a venture-backed startup located in Palo Alto, California that develops software to secure server data through server attestation and memory encryption. The company's attestation and memory encryption technology fills a gap that exists between “data in motion” encryption and “data at rest” encryption by protecting “data in use”. PrivateCore memory encryption technology protects against threats to servers such as cold boot attacks, hardware advanced persistent threats, rootkits/bootkits, computer hardware supply chain attacks, and physical threats to servers from insiders. PrivateCore was acquired by Facebook on 7 August 2014.

A trusted execution environment (TEE) is a secure area of a main processor. It helps the code and data loaded inside it be protected with respect to confidentiality and integrity. Data confidentiality prevents unauthorized entities from outside the TEE from reading data, while code integrity prevents code in the TEE from being replaced or modified by unauthorized entities, which may also be the computer owner itself as in certain DRM schemes described in Intel SGX.

Datain use is an information technology term referring to active data which is stored in a non-persistent digital state typically in computer random-access memory (RAM), CPU caches, or CPU registers.

Cloud computing is used by most people every day, but there are issues that limit its widespread adoption. It is one of the fast developing area that can instantly supply extensible services by using internet with the help of hardware and software virtualization. Cloud computing biggest advantage is flexible lease and release of resources as per the requirement of the user. Its other advantages include efficiency, compensating the costs in operations and management. It curtails down the high prices of hardware and software

Intel Software Guard Extensions (SGX) is a set of instruction codes implementing trusted execution environment that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

Enhanced Privacy ID (EPID) is Intel Corporation's recommended algorithm for attestation of a trusted system while preserving privacy. It has been incorporated in several Intel chipsets since 2008 and Intel processors since 2011. At RSAC 2016 Intel disclosed that it has shipped over 2.4B EPID keys since 2008. EPID complies with international standards ISO/IEC 20008 / 20009, and the Trusted Computing Group (TCG) TPM 2.0 for authentication. Intel contributed EPID intellectual property to ISO/IEC under RAND-Z terms. Intel is recommending that EPID become the standard across the industry for use in authentication of devices in the Internet of Things (IoT) and in December 2014 announced that it was licensing the technology to third-party chip makers to broadly enable its use.

Data-centric security is an approach to security that emphasizes the dependability of the data itself rather than the security of networks, servers, or applications. Data-centric security is evolving rapidly as enterprises increasingly rely on digital information to run their business and big data projects become mainstream. It involves the separation of data and digital rights management that assign encrypted files to pre-defined access control lists, ensuring access rights to critical and confidential data are aligned with documented business needs and job requirements that are attached to user identities.

<span class="mw-page-title-main">Foreshadow</span> Hardware vulnerability for Intel processors

Foreshadow, known as L1 Terminal Fault (L1TF) by Intel, is a vulnerability that affects modern microprocessors that was first discovered by two independent teams of researchers in January 2018, but was first disclosed to the public on 14 August 2018. The vulnerability is a speculative execution attack on Intel processors that may result in the disclosure of sensitive information stored in personal computers and third-party clouds. There are two versions: the first version (original/Foreshadow) targets data from SGX enclaves; and the second version (next-generation/Foreshadow-NG) targets virtual machines (VMs), hypervisors (VMM), operating systems (OS) kernel memory, and System Management Mode (SMM) memory. A listing of affected Intel hardware has been posted.

Originally developed in 2019 by Microsoft under the name Coco and later rebranded to Confidential Consortium Framework (CCF), it is an open-source framework for developing of a new category of performant applications that focuses on the optimization of secure multi-party computation and data availability. Intended to accelerate the adoption of blockchain technology by enterprises, CCF can enable a variety of high-scale, confidential, permissioned distributed ledger networks that meet key enterprise requirements.

Intel Trust Domain Extensions (TDX) is a CPU-level technology proposed by Intel in May 2021 for implementing a trusted execution environment in which virtual machines are hardware-isolated from the host's Virtual Machine Monitor (VMM), hypervisor, and other software on the host. This hardware isolation is intended to prevent threat actors with administrative access or physical access to the virtual machine host from compromising aspects of the TD virtual machine's confidentiality and integrity. TDX also supports a remote attestation feature which allows users to determine that a remote system has TDX protections enabled prior to sending it sensitive data.

References

  1. Fitzgibbons, Laura. "States of Digital Data". Data Management. TechTarget. Retrieved 2023-03-12.
  2. Schuster, Felix (2022-10-03). "Constellation: The First Confidential Kubernetes Distribution". The New Stack. Retrieved 2023-03-12.
  3. 1 2 3 Akram, Ayaz; Akella, Venkatesh; Peisert, Sean; Lowe-Power, Jason (26–27 September 2022). "SoK: Limitations of Confidential Computing via TEEs for High-Performance Compute Systems". 2022 IEEE International Symposium on Secure and Private Execution Environment Design (SEED). IEEE. pp. 121–132. doi:10.1109/SEED55351.2022.00018. ISBN   978-1-6654-8526-5. S2CID   253271359.
  4. 1 2 Rashid, Fahmida Y. (June 2020). "The rise of confidential computing: Big tech companies are adopting a new security model to protect data while it's in use". IEEE Spectrum. 57 (6): 8–9. doi: 10.1109/MSPEC.2020.9099920 . ISSN   1939-9340. S2CID   219767651.
  5. "Confidential computing: hardware-based trusted execution for applications and data" (PDF). Confidential Computing Consortium. November 2022. p. 2. Retrieved 2023-03-12.
  6. Poddar, Rishabh; Ananthanarayanan, Ganesh; Setty, Srinath; Volos, Stavros; Popa, Raluca (August 2020). Visor: Privacy-Preserving Video Analytics as a Cloud Service (PDF). 29th USENIX Security Symposium.
  7. Sturmann, Lily; Simon, Axel (2019-12-02). "Current Trusted Execution Environment landscape". Red Hat Emerging Technologies. Retrieved 2023-03-12.
  8. 1 2 Rashid, Fahmida (2020-05-27). "What Is Confidential Computing?". IEEE Spectrum. Retrieved 2023-03-12.
  9. Olzak, Tom (2021-09-20). "What Is Confidential Computing and Why It's Key To Securing Data in Use?". Spiceworks. Retrieved 2023-03-12.
  10. 1 2 3 4 5 6 "A technical analysis of confidential computing" (PDF). Confidential Computing Consortium. November 2022. Retrieved 2023-03-12.
  11. Mulligan, Dominic P.; Petri, Gustavo; Spinale, Nick; Stockwell, Gareth; Vincent, Hugo J. M. (September 2021). "Confidential Computing—a brave new world". 2021 International Symposium on Secure and Private Execution Environment Design (SEED). pp. 132–138. doi:10.1109/SEED51797.2021.00025. ISBN   978-1-6654-2025-9. S2CID   244273336.
  12. Sardar, Muhammad Usama (June 2022). "Understanding Trust Assumptions for Attestation in Confidential Computing". 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks - Supplemental Volume (DSN-S). pp. 49–50. doi:10.1109/DSN-S54099.2022.00028. ISBN   978-1-6654-0260-6. S2CID   251086713.
  13. Russinovich, Mark; Costa, Manuel; Fournet, Cédric; Chisnall, David; Delignat-Lavaud, Antoine; Clebsch, Sylvan; Vaswani, Kapil; Bhatia, Vikas (2021-05-24). "Toward confidential cloud computing". Communications of the ACM. 64 (6): 54–61. doi: 10.1145/3453930 . ISSN   0001-0782. S2CID   235171921.
  14. Russinovich, Mark; Costa, Manuel; Fournet, Cédric; Chisnall, David; Delignat-Lavaud, Antoine; Clebsch, Sylvan; Vaswani, Kapil; Bhatia, Vikas (2021-03-09). "Toward Confidential Cloud Computing: Extending hardware-enforced cryptographic protection to data while in use". Queue. 19 (1): 20:49–20:76. doi: 10.1145/3454122.3456125 . ISSN   1542-7730. S2CID   232368388.
  15. 1 2 Banerjee, Pradipta; Ortiz, Samuel (2022-12-02). "Understanding the Confidential Containers Attestation Flow". RedHat. Retrieved 2023-03-12.
  16. "Understanding Confidential Computing with Trusted Execution Environments and Trusted Computing Base models | Dell Technologies Info Hub". infohub.delltechnologies.com. Retrieved 2023-03-20.
  17. 1 2 3 "Intel SGX vs TDX: what is the difference?". CanaryBit. 2022-07-27. Retrieved 2023-03-12.
  18. "Common terminology for confidential computing" (PDF). Confidential Computing Consortium. December 2022. Retrieved 2023-03-12.
  19. Pecholt, Joana; Wessel, Sascha (2022-12-05). "CoCoTPM: Trusted Platform Modules for Virtual Machines in Confidential Computing Environments". Proceedings of the 38th Annual Computer Security Applications Conference. New York, NY, USA: ACM. pp. 989–998. doi:10.1145/3564625.3564648. ISBN   9781450397599. S2CID   254151740.
  20. Guanciale, Roberto; Paladi, Nicolae; Vahidi, Arash (September 2022). "SoK: Confidential Quartet - Comparison of Platforms for Virtualization-Based Confidential Computing". 2022 IEEE International Symposium on Secure and Private Execution Environment Design (SEED). IEEE. pp. 109–120. doi:10.1109/SEED55351.2022.00017. ISBN   978-1-6654-8526-5. S2CID   253270880.
  21. van Winkle, William (2019-12-31). "Protecting data on public clouds and edges with confidential computing". VentureBeat. Retrieved 2023-03-12.
  22. Crouse, Megan (2022-11-07). "What is confidential computing?". TechRepublic. Retrieved 2023-03-12.
  23. Novković, Bojan; Božić, Anita; Golub, Marin; Groš, Stjepan (September 2021). "Confidential Computing as an Attempt to Secure Service Provider's Confidential Client Data in a Multi-Tenant Cloud Environment". 2021 44th International Convention on Information, Communication and Electronic Technology (MIPRO). pp. 1213–1218. doi:10.23919/MIPRO52101.2021.9597198. ISBN   978-953-233-101-1. S2CID   244147507.
  24. "Strengthening cloud security with confidential computing". IBM Research Blog. 2021-02-09. Retrieved 2023-03-12.
  25. Law, Andrew; Leung, Chester; Poddar, Rishabh; Popa, Raluca Ada; Shi, Chenyu; Sima, Octavian; Yu, Chaofan; Zhang, Xingmeng; Zheng, Wenting (2020-11-09). "Secure Collaborative Training and Inference for XGBoost". Proceedings of the 2020 Workshop on Privacy-Preserving Machine Learning in Practice. ACM. pp. 21–26. doi:10.1145/3411501.3419420. ISBN   978-1-4503-8088-1. S2CID   222142203.
  26. Dave, Ankur; Leung, Chester; Popa, Raluca Ada; Gonzalez, Joseph E.; Stoica, Ion (2020-04-15). "Oblivious coopetitive analytics using hardware enclaves". Proceedings of the Fifteenth European Conference on Computer Systems. ACM. pp. 1–17. doi:10.1145/3342195.3387552. ISBN   978-1-4503-6882-7. S2CID   215728912.
  27. 1 2 Liu, Fangfei; Yarom, Yuval; Ge, Qian; Heiser, Gernot; Lee, Ruby B. (May 2015). "Last-Level Cache Side-Channel Attacks are Practical". 2015 IEEE Symposium on Security and Privacy. IEEE. pp. 605–622. doi:10.1109/SP.2015.43. ISBN   978-1-4673-6949-7. S2CID   2741260.
  28. Küçük, Kubilay Ahmet; Martin, Andrew (2023-04-16). "CRC: Fully General Model of Confidential Remote Computing". arXiv: 2104.03868 [cs.CR].
  29. "Privacy-enhancing technologies (PETs)" (PDF). Draft anonymisation, pseudonymisation and privacy-enhancing technologies guidance. Information Commissioner's Office. September 2022. Retrieved 2023-03-12.
  30. "IT Security Act (Germany) and EU General Data Protection Regulation: Guideline 'state of the art' - Technical and organisational measures" (PDF). TeleTrusT. 2021. Retrieved 2023-03-12.
  31. Schmidt, Kaja; Munilla Garrido, Gonzalo; Mühle, Alexander; Meinel, Christoph (2022). Katsikas, Sokratis; Furnell, Steven (eds.). Mitigating Sovereign Data Exchange Challenges: A Mapping to Apply Privacy- and Authenticity-Enhancing Technologies. Trust, Privacy and Security in Digital Business. Vol. 13582. Springer International Publishing. pp. 50–65. arXiv: 2207.01513 . doi:10.1007/978-3-031-17926-6_4. ISBN   978-3-031-17925-9 . Retrieved 2023-03-12.
  32. Basak, Anirban (2023-02-06). "Confidential Computing: A Win-Win For Both Data Providers And Data Consumers". Forbes. Retrieved 2023-03-12.
  33. Shein, Esther (2023-02-01). "Why confidential computing will be critical to (not so distant) future data security efforts". VentureBeat. Retrieved 2023-03-12.
  34. Xu, Yuanzhong; Cui, Weidong; Peinado, Marcus (May 2015). "Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems". 2015 IEEE Symposium on Security and Privacy. pp. 640–656. doi:10.1109/SP.2015.45. ISBN   978-1-4673-6949-7. S2CID   6344906.
  35. Lee, Dayeol; Jung, Dongha; Fang, Ian T.; Tsai, Chia-Che; Popa, Raluca Ada (2020-08-12). "An off-chip attack on hardware enclaves via the memory bus". Proceedings of the 29th USENIX Conference on Security Symposium. SEC'20. USENIX Association: 487–504. arXiv: 1912.01701 . ISBN   978-1-939133-17-5.
  36. Kovacs, Eduard (2022-08-09). "ÆPIC Leak: Architectural Bug in Intel CPUs Exposes Protected Data". SecurityWeek. Retrieved 2023-03-12.
  37. Lakshmanan, Ravie (2020-06-10). "Intel CPUs Vulnerable to New 'SGAxe' and 'CrossTalk' Side-Channel Attacks". The Hacker News. Retrieved 2023-03-12.
  38. Li, Mengyuan; Zhang, Yinqian; Wang, Huibo; Li, Kang; Cheng, Yueqiang (2021). "{CIPHERLEAKS}: Breaking Constant-time Cryptography on {AMD} {SEV} via the Ciphertext Side Channel". 30th USENIX Security Symposium: 717–732. ISBN   978-1-939133-24-3.
  39. "Confidential Computing Deep Dive v1.0" (PDF). Confidential Computing Consortium. October 2020. Retrieved 2023-03-12.
  40. van Schaik, Stephan; Seto, Alex; Yurek, Thomas; Batori, Adam; AlBassam, Bader; Garman, Christina; Genkin, Daniel; Miller, Andrew; Ronen, Eyal; Yarom, Yuval. "SoK: SGX.Fail: How Stuff Gets Exposed" (PDF). Georgia Institute of Technology. Retrieved 2023-03-12.
  41. 1 2 Sardar, Muhammad; Fetzer, Christof (November 2021). "Confidential computing and related technologies: a review" . Retrieved 2023-03-12.
  42. Küçük, Kubilay Ahmet; Martin, Andrew (December 2020). "CRC: Fully General Model of Confidential Remote Computing". arXiv: 2104.03868 [cs.CR].
  43. "New Intel chips won't play Blu-ray disks due to SGX deprecation". BleepingComputer. Retrieved 2023-04-26.
  44. "Building Hardware to Enable Continuous Data Protections". DARPA. 2020-03-02. Retrieved 2023-03-12.
  45. 1 2 Popa, Raluca (2021-10-01). "Secure computation: Homomorphic encryption or hardware enclaves?". RISE Lab. Retrieved 2023-03-12.
  46. Wang, Wenhao; Jiang, Yichen; Shen, Qintao; Huang, Weihao; Chen, Hao; Wang, Shuang; Wang, XiaoFeng; Tang, Haixu; Chen, Kai; Lauter, Kristin; Lin, Dongdai (2019-05-19). "Toward Scalable Fully Homomorphic Encryption Through Light Trusted Computing Assistance". arXiv: 1905.07766 [cs.CR].
  47. Coppolino, Luigi; D'Antonio, Salvatore; Formicola, Valerio; Mazzeo, Giovanni; Romano, Luigi (May 2021). "VISE: Combining Intel SGX and Homomorphic Encryption for Cloud Industrial Control Systems". IEEE Transactions on Computers. 70 (5): 711–724. doi: 10.1109/TC.2020.2995638 . ISSN   1557-9956. S2CID   219488231.
  48. Hockenbrocht, Christopher (2020-02-01). "Cryptographic Techniques and the Privacy Problems They Solve". LeapYear. Retrieved 2023-03-12.
  49. Parno, Bryan; McCune, Jonathan M.; Perrig, Adrian (May 2010). "Bootstrapping Trust in Commodity Computers". 2010 IEEE Symposium on Security and Privacy. pp. 414–429. doi:10.1109/SP.2010.32. ISBN   978-1-4244-6894-2. S2CID   10346304.
  50. "Trusted Computing". Trusted Computing Group. Retrieved 2023-03-12.
  51. Takahashi, Dean (2021-03-15). "AMD launches third-generation Epyc processors for datacenters". VentureBeat. Retrieved 2023-03-12.
  52. Robinson, Dan. "Microsoft adds confidential VMs running on third-gen Epyc". www.theregister.com. Retrieved 2023-03-20.
  53. Hamblen, Matt (2021-03-30). "Arm launches v9 with Realms and Confidential Compute". Fierce Electronics. Retrieved 2023-03-12.
  54. Korolov, Maria (2021-05-04). "Confidential Computing: Arm Builds Secure Enclaves for the Data Center". Data Center Knowledge. Retrieved 2023-03-12.
  55. Moorhead, Patrick (2020-04-14). "IBM Bolsters Z Portfolio With New Data Privacy Capabilities". Forbes.
  56. Funk, Ben (2015-10-05). "Intel to begin shipping Skylake CPUs with SGX enabled". The Tech Report. Retrieved 2023-05-01.
  57. Pezzone, Jimmy (2022-01-15). "Intel's SGX deprecation impacts DRM and Ultra HD Blu-ray support". TechSpot. Retrieved 2023-03-12.
  58. Robinson, Dan (2023-02-15). "Intel issues patches for SGX vulnerabilities". The Register. Retrieved 2023-03-12.
  59. Synek, Greg (2018-11-05). "Intel launches the Xeon E-2100 and teases Cascade Lake Advanced Performance CPUs". TechSpot. Retrieved 2023-03-12.
  60. Condon, Stephanie (2021-04-06). "Intel launches third-gen Intel Xeon Scalable processor for data centers". ZDNET. Retrieved 2023-03-12.
  61. Kovacs, Eduard (2023-01-10). "Intel Adds TDX to Confidential Computing Portfolio With Launch of 4th Gen Xeon Processors". SecurityWeek. Retrieved 2023-03-12.
  62. Columbus, Louis (2022-03-31). "Nvidia is bringing zero trust security into data centers". VentureBeat. Retrieved 2023-03-12.
  63. Andersch, Michael; Palmer, Greg; Krashinsky, Ronny; Stam, Nick; Mehta, Vishal; Brito, Gonzalo; Ramaswamy, Sridhar (2022-03-22). "NVIDIA Hopper Architecture In-Depth". NVIDIA Developer. Retrieved 2023-03-12.
  64. 1 2 3 Preimesberger, Chris (2020-09-15). "Compare Top Confidential Computing Vendors". eWEEK. Retrieved 2023-03-12.
  65. Li, Abner (2020-07-14). "Google Cloud announces Confidential Computing 'breakthrough' that encrypts customer data in-use". 9to5Google . Retrieved 2023-03-12.
  66. O'Brien, Chris (2020-10-16). "Why IBM believes Confidential Computing is the future of cloud security". VentureBeat. Retrieved 2023-03-12.
  67. Taft, Darryl (2019-12-19). "Azure confidential computing, AWS aim to better secure cloud data". Software Quality. TechTarget. Retrieved 2023-03-12.
  68. Spadafora, Anthony (2021-10-26). "OVHcloud releases new Advance Bare Metal Servers for SMEs". TechRadar. Retrieved 2023-03-12.
  69. "2022 Superuser Awards Nominee: CanaryBit". Superuser. 2022-05-03. Retrieved 2023-03-12.
  70. "Deeptech Cosmian Raises €4.2m to Accelerate the Deployment of Its Privacy-by-default Solutions Using Advanced Cryptography". Fintech Futures. 2022-06-20. Retrieved 2023-03-12.
  71. "CYSEC". TOP 1000 Swiss Startups awards 2022. Retrieved 2023-04-18.
  72. Wiggers, Kyle (2022-03-22). "Decentriq raises $15M to expand its data clean rooms platform". VentureBeat. Retrieved 2023-03-12.
  73. Plumb, Taryn (2022-09-13). "Is confidential computing the future of cybersecurity? Edgeless Systems is counting on it". VentureBeat. Retrieved 2023-03-12.
  74. Schonschek, Oliver (2 November 2022). "Internationale Datentransfers – Sieht so die Lösung aus?". cloudcomputing-insider.de (in German). Retrieved 2023-03-12.
  75. Wiggers, Kyle (2022-09-15). "Cybersecurity firm Fortanix secures capital to provide confidential computing services". TechCrunch. Retrieved 2023-03-12.
  76. "Streamline Fintech Data Management With IBM Hyper Protect Services".
  77. Thompson, David (2022-11-02). "Mithril Security Democratizes AI Privacy Thanks To Daniel Quoc Dung Huynh" . Retrieved 2023-03-12.
  78. "Irish confidential computing start-up Oblivious has raised €5.35 million". Tech.eu. 2023-04-17. Retrieved 2024-01-18.
  79. Sharma, Shubham (2022-06-28). "Opaque Systems helps enterprises run collaborative analytics on confidential data". VentureBeat. Retrieved 2023-03-12.
  80. "Scontain". VentureRadar. Retrieved 2023-03-12.
  81. "Secretarium". IQCapital. 28 February 2022. Retrieved 2023-05-09.
  82. 1 2 "What is the Confidential Computing Consortium?". Confidential Computing Consortium. Retrieved 2023-03-12.
  83. "Confidential Computing Consortium Establishes Formation with Founding Members and Open Governance Structure". Linux Foundation. Retrieved 2023-03-12.
  84. Gold, Jack (2020-09-28). "Confidential computing: What is it and why do you need it?". CSO Online. Retrieved 2023-03-12.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.